Information Technology Grimoire

Version .0.0.1

IT Notes from various projects because I forget, and hopefully they help you too.

How to Delete the Hiberfile.sys in Windows 10

The hiberfile.sys file is a file used by windows when you choose to Hibernate your system. Read more about Hibernate vs Sleep and how to delete the hiberfile.sys file.

Hibernate Vs Sleep

Sleep is a lower power state where the computer still runs and all applications are still “on”, but operating in a way that conserves maximum power.

Hibernate is an “off” state where memory is written to disk and then rebuilt once the computer turns “on”.

If you do not use the hibernate feature, you can save several Gigabytes by disabling it. The options appear in the windows start menu after you click the power icon:

Delete the Hiberfile.sys

The command is simply “powercfg -h off”.

You will need to run this command from an administrator prompt (not the same thing as logging in as an administrator).

Unable to perform operation. An unexpected error (0x65b) has occurred: Function failed during execution.

Look at the file created using the dir /a command to show all files. As you don’t simply delete the file, watch as the file automatically goes away or is created based on if your powercfg -h is set to on/off. I have highlighted the commands so you can see what to type. If nothing is found, then you do not have a hiberfile.sys

Forensics and hiberfil.sys

If a forensics investigator gets access to your hiberfil.sys, it is trivial to recover all kinds of interesting information. It would be just like they had access to your computer, logged on as you - almost. Consider that the hiberfil.sys is written to disk, then “erased”, it would also be easy to recover past hiberfil.sys writes. For security reasons you should therefore consider not using the hiberfil.sys and consider full drive encryption.

Last updated on 27 Jan 2019
Published on 27 Jan 2019